Supply Chain Audit: Key Risks, Guidance, and Sample Questions
Supply chain disruption is one of the most visible risks impacting many organizations. Issues in the supply chain, such as production slowdowns, inventory shortages, or delayed delivery, impact businesses and consumers alike. Gartner’s 2022 Audit Plan Hot Spots report calls out the supply chain as a top 10 risk that should be on every auditor’s radar. Since you will probably need to perform this audit soon, we have designed this article to get you up to speed on the fundamentals of supply chain auditing, including top risks and a downloadable sample supply chain audit questionnaire.
Five Supply Chain Risks to Include in Your Assessment
A supply chain audit reviews any or all of the activities and processes that an organization follows to deliver products or services to its customers. Supply chain risks include all the possible disruptions that can impact the goods and materials from getting to you or your consumers, but these are far too numerous to audit. The Gartner Hot Spots report highlights two main drivers for increased supply chain risk, including “Key Goods and Materials Shortages” and “Logistics and Shipping Challenges,” both underlying factors in increased costs of goods and materials. As we complete the risk assessment, we can consider how these drivers affect the following key risks.
For better insights into these risks, consider partnering with internal teams who have insight into the supply chain — legal operations for contracts, vendor risk management, distribution center, and procurement teams will have useful information you can leverage. If your organization is a supplier to others, you will want to converse with the distribution center team to see how they are meeting SLAs and to ensure they are meeting shipping requirements.
1. Reputational Risk
If your suppliers are experiencing shortages or logistical delays, your reputation can be damaged due to your perceived inability to fulfill orders. Your customers will not know about your supply chain disruptions, only that you are not meeting their needs. While some loyal customers may sympathize with your situation, others will find new business relationships.
Your reputation is also tied to your supplier’s actions. The public is likely to judge harshly if you have business arrangements with suppliers who have negative public perception.
2. Cybersecurity Risk
Cybersecurity incidents also add to shortages and delays. Cyber security breaches within a factory, distribution center, or trucking company can decrease your ability to meet your consumer’s requirements. When ransomware hackers hijacked the Colonial Pipeline, there was a ripple effect through many supply chains. After the public responded with panic buying, logistics companies with trucks on the road experienced challenges finding fuel, leading to shipping delays. Suppose merchandise was delayed in getting to the consumer. In that case, they might blame the company from which they purchased an item, despite the delay occurring further up the chain impacting the shipping company.
3. Geopolitical Risk
Trade wars, border tension, and government instability are creating bottlenecks in supply chains worldwide. Some goods and merchandise are only available from limited sources, so finding backup suppliers can be difficult, leading to potential shortages. To understand the risk in your supply chain, you need to know where your goods and material originate in the world and the path these take to get to you.
4. Contract Compliance Risk
Contracts are critical to auditing your supply chain. The document generally dictates what level of audit interaction you can have with the vendor and their performance metrics. The first step is to ensure someone owns the contracts and enforces the commitments. Then for auditors, contracts will often have a right to audit clause and service level agreements, or SLAs, that will provide the detail you need before starting an audit. You also need to look for language in the contract that shields your company from any illegal actions the supplier may commit.
5. Quality Risk
When there are shortages, suppliers will sometimes substitute a lesser product when the standard product is unavailable or to reduce the cost. We saw this during the pandemic when suppliers sent hospitals lesser quality gloves. Suppliers were sending gloves made from latex instead of the higher quality nitrile material. The actions of a supplier can have a huge impact on your ability to continue your work and the safety of your employees and customers.
Supply Chain Audit Questionnaire
We can design the supply chain audit questionnaire around the five key risks listed above. We have provided questions to guide you during fieldwork as a supply chain audit program to understand the controls in place for each risk.
Reputation
- What backup plans are in place for critical vendors?
- Are there any “sole source” providers who supply critical elements to the supply chain?
- Are suppliers held to any ethical standards and monitored for negative headlines and open litigation?
- Are excess supplies retained of critical parts/systems?
- What plans are in place to manage labor shortages?
Cybersecurity
- Are suppliers asked to provide evidence of strong internal IT controls (e.g., SOC reports)?
- Does the supplier have an internal audit team that reviews cybersecurity?
- What are the results of my organization’s recent cybersecurity review?
Geopolitical Exposure
- Does your procurement process consider location, reputation, and financial stability, as a factor when choosing suppliers?
- Are critical suppliers located in high-risk global locations?
- Are supplier locations evaluated annually for geopolitical, reputational, security, and financial risk?
Contract Compliance
- Does your company track delivery timeliness to commitments and follow up on delays?
- Are “right to audit” clauses included in contracts with suppliers? Has the clause ever been enforced?
- Are SLAs included and enforced with the ability to revise the SLAs over time?
- What SLA requirements does our organization have? What is the impact if we don’t meet these SLAs?
Quality
- Are quality checks performed on goods and materials received from suppliers?
- How are quality standards communicated and enforced?
- Do employees have a process for reporting quality issues?
- Are suppliers ISO 9001 certified?
Outcomes from a Supply Chain Audit
The result of the supply chain audit will influence the recommendations made by the audit team. Some of the most common outcomes include:
- Procurement process improvements.
- Compliance program creation.
- Contract tracking software implementation.
- Contract compliance monitoring.
- Materials quality assessment.
- Supplier rebidding and replacement.
- Backup supplier search.
Whatever the supply chain audit outcome, you will end with a better understanding of the risk and control environment impacting your supply chain, and confidence in your internal processes. With so much uncertainty surrounding suppliers and global logistics, having strong supply chain risk management can mean the difference between failure and organizational longevity.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.